Why Threat Intelligence is Central to Effective Vulnerability Prioritization
Adding context to information is essential for accurate decision making
Internal vulnerability scanning is the foundation for vulnerability prioritization , collecting vulnerability data and categorizing it within a basic severity model. Adding external intelligence from a broad range of open, closed and private sources adds the necessary context for actions to be decided upon. Final prioritization can then be validated by applying behavioral knowledge about threat actors, delivered by a combination of automated algorithms and experienced human analysts.
The same kind of model is used in the apocryphal story of ‘the tomato salad’. The tomato can be categorized accurately as a fruit. Further context from applied intelligence tells you that it is a safe, appropriate ingredient in a salad. Behavioral knowledge prevents the restaurant from adding it to a fruit salad!
Do not allow CVE/CVSS scoring to be a distraction
When a new vulnerability is discovered, security teams’ existing scanning infrastructure will detect it and categorize it. As illustrated above, this may not prove particularly useful because the classification alone has no appropriate context. CVE (Common Vulnerabilities and Exposures) and CVSS (Common Vulnerability Scoring Systems) ratings tend to weigh according to the global significance of a given vulnerability, rather than its relevance to your specific location, industry sector or which assets are most important to you. Relying solely upon CVE/CVSS (and related vulnerability databases) means being governed by prescribed risk calculations, rather than using threat intelligence to understand risks as they apply uniquely to your organization.
In fact, focusing solely on ‘Critical’ or ‘High’ severity classifications is considered bad practice by, among others, the National Cyber Security Centre, part of the UK GCHQ intelligence service. Its guidance states that organizations must “not select an arbitrary score above which vulnerabilities must be fixed…” and “not take raw CVSS scores without first taking into account organization-specific priorities.”
Understanding the lifecycle of vulnerabilities
The other major benefit of applying intelligence to your vulnerability management process is to overcome the resource drain of dealing with false positives and alert fatigue. Recent Ponemon Institute/Exabeam research found that security teams at US enterprises struggled to keep pace with an average of 4,000 alerts per week, and spent around 25% of their time chasing false positives.
Using external threat intelligence in tandem with internal vulnerability scanning contributes significantly to isolating those vulnerabilities demanding critical intervention. And that’s especially important when you consider the narrow window of opportunity that these teams have to address new vulnerabilities that attackers elect to weaponize.
The typical vulnerability lifecycle shows a time lag between the discovery of a vulnerability and its exploitation and ‘weaponization’ by threat actors. In some instances this may be only a matter of 10-20 days, though in most cases vulnerabilities are never weaponized at all. With this in mind, teams must logically plan for an optimum horizon of just a few weeks at most, for any vulnerability deemed a priority.
Unfortunately, even with some level of prioritization in place, organizations can take far longer than this to patch vulnerabilities. Even the most (apparently) critical vulnerabilities can take on average 34 days to patch, with ‘low’ severity flaws taking 54 days. These time lapses fall troublingly short of the period it would take a determined threat actor to react to a new vulnerability and potentially launch a successful attack. Moreover, given the temptation in some quarters to address those vulnerabilities ranked most critical by their CVE/CVSS data collection classifications, certain vulnerabilities that may appear of low severity to all organizations (but may in fact represent a significant and urgent risk to particular organizations) will remain unpatched for significantly longer.
How threat intelligence enables true risk-based vulnerability prioritization
By their very nature, vulnerability databases struggle to keep up with what threat actors are doing to exploit security holes and are constantly behind the curve. Indeed, Blueliv’s broad scope of external threat intelligence sources routinely discovers vulnerabilities disclosed in public forums, social media, dark web marketplaces, code repositories and many other places – days or even weeks before they are published on government-sponsored vulnerability databases like NIST’s NVD.
The answer to achieving enough velocity to patch the right vulnerabilities in time lies in harnessing these intelligence sources to track and validate the emergence of vulnerabilities ranging into your organization’s unique risk profile.
In this approach, the relative prioritization of vulnerabilities can change dynamically in step with their exploitation outside the organization. Intelligence can be used to determine the prevalence and sophistication of each exploit as it progresses through risk milestones, in much the same way as terrorist plots are monitored and reported upon by civil defence and police agencies. Response measures can then be employed at the appropriate juncture with the resources available.
Every organization may end up leveraging the same tools and information sources, but the crucial difference is that each will define their own individual set of prioritized vulnerabilities and act upon them accordingly.
Employing a combination of internal vulnerability scanning, external threat intelligence and an advanced behavioral understanding of exploits and their perpetrators is the optimum model for effective vulnerability prioritization. This is why Gartner’s Guidance Framework for Developing and Implementing Vulnerability Management incorporates a prioritization process built upon using a risk-based approach, and other leading experts agree that threat intelligence is vital to providing real-time context for making these important decisions.
We meet this need with our Threat Context module, a powerful deep defense module providing up-to-the-minute, actionable intelligence about threat actors, campaigns, IOCs, attack patterns, tools signatures and CVEs based on an evolving landscape of over 150 million qualified threat items. Threat Context can be used alongside any combination of other modules from the universal threat intelligence solution.
Some of the key innovations with Threat Context include:
- Charting how specific CVEs relate to actors, campaigns and tools. The provides security teams with the ability to drill-down into individual exploits and the extent to which they are currently being used by attackers/in attacks.
- Collating evidence from intelligence sources against specific CVEs. This allows security teams to understand the volume and variety of individual mentions, including from an unparalleled number of dark web sources. This proprietary capability is supplemented by the Blueliv community.
- A dynamic Blueliv scoring system for CVEs. Rather than remaining static, this scoring accurately reflects their growing exploitation/weaponization rather than benchmarking at a point in time.